What are the main security risks of popular cloud storage services such as Dropbox? I am torn between the convenience of cloud storage and the potential security risk of it. How can I evaluate whether a particular service meets my security requirements?

As it is, this question will solicit very subjective answers. Could you change the question such that it can have a "correct" answer?
–
LadadadadaApr 15 '12 at 16:58

It also depends on your security requirements, could you detail this more? Certain cloud-providers have certifications and contractual terms regarding their availability and privacy. However, those assurances and the ability to sue your provider might not be helpful if your security requirements are high enough that financial compensations are not enough.
–
BushibytesApr 16 '12 at 16:38

4 Answers
4

Besides what the Jippie points out, you have no reassurance regarding confidentiality in a Cloud environment. For instance when using Google Docs you allow Google to apply datamining on your documents. MS 360 however promises not do this (according to their license).

You have less control about what happens to your documents in a public cloud. However there are ways to setup your own private Cloud. It is more expensive, but you get a lot more control. If you do not have any sensitive data I would use a cloud storage otherwise I would just do it the old fashioned way or get a private cloud.

The obvious answer to confidentiality is client side encryption. Heard a lot about it, but I have no idea how that can be configured properly.
–
jippieApr 15 '12 at 18:21

2

Most current cloud providers are based in the United States and therefore the Patriot act applies. This basically means that the US government can demand any data on any server anywhere in the world, as long as the cloud provider is US based.
–
jippieApr 15 '12 at 18:24

2

Examples for cloud storage providers that support client side encryption with keys unknown to the provider are CrashPlan, TeamDrive or JungleDisk, and all of them are fairly easy to setup. Mozy does not encrypt file- and foldernames.
–
twobeersApr 16 '12 at 11:18

No. The biggest risk I fear is some government closing down the service because of suspected illegal use, taking all disks for analysis and leaving me as sincere user without my file backups. eg. Megaupload (Megabackup)

IMHO, one big issue regarding the security of your cloud-stored data is the fact that usually cloud services don't store the data encrypted on their servers.
As jippie pointed out, client side encryption is the magic word. If your data is already encrypted before it gets uploaded, the cloud provider has no chance to access your data.
As far as I know, wuala is one of very few providers which implemented client side encryption (see http://www.wuala.com/en/learn/technology). And they're in Europe, so no patriot act...

Wuala uses content-based encryption and derives the keys used to encrypt the files on the client side from the content of the files. This enables the use of deduplication, but it also enables new kinds of attacks. Still better that using Dropbox or any provider that doesn't use client-side keys for encryption.
–
twobeersApr 16 '12 at 11:22

First of all I suggest you have a look at the services's website and read how it handles security. This gives you a basic idea of how much the service cares about the safety of your data. Of course, this means nothing, but it's still something, and it also allows you compare different services.

The best you can do to keep your data secure is encrypting it before it leaves your computer. This way, even if the company hosts and sees your files, it won't be able to access their content.

The only thing they could do is delete them if they decide to close the service, so at least in this sense cloud storage is not 100% secure.